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Abstract 



[/J ' This letter shows that linear Cellular Automata based on rules 90/150 

O . generate all the solutions of linear difference equations with binary con- 

stant coefficients. Some of these solutions are pseudo-random noise se- 
quences with apphcation in cryptography: the sequences generated by 
^ . the class of shrinking generators. Consequently, this contribution shows 

QQ ' that shrinking generators do not provide enough guarantees to be used for 

l/^ , encryption purposes. Furthermore, the linearization is achieved through 

("^ ' a simple algorithm about which a fuU description is provided. 

^^ ' Keywords; Nonhnear Science, Cellular Automata, Predictability, Crypt- 

ly-N , analysis. 

3C . "Linearity is the curse of the cryptographer" (J. L. Massey, Crypto'89) 



1 Introduction 



Secret-key cryptography is commonly divided into block and stream ciphers. As 
C^ ' opposed to block ciphers, stream ciphers encrypt each data symbol (as small 

as a bit) into a ciphertext symbol under a nonlinear dynamical transformation. 
Stream ciphers are the fastest among the encryption procedures so they are 
implemented in many practical applications e.g. the algorithms A5 in GSM 
communications [1], the generator RC4 in Wi-Fi security protocol [2] or the 
encryption system EO in Bluetooth specifications [3]. 

A stream cipher procedure is based on the generation of a long keyed Pseudo- 
random Noise (PN) sequence and its addition to the original message. In par- 
ticular, for encryption the sender realizes the bit-wise XOR operation among 
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the bits of the original message or plaintext and the pseudo-random noise se- 
quence, giving rise to the ciphertext. For decryption, the receiver generates 
the same pseudo-random noise sequence, realizes the same bit-wise XOR oper- 
ation between the received ciphertext and the pseudo-random noise sequence 
and recuperates the original message. 

Most pseudo-random noise sequence generators are based on either chaotic 
encryption procedures (see for instance [4], [5] and [6]), or Linear Feedback 
Shift Registers (LFSRs) [7] . The output sequences of LFSRs have application 
in multiple areas such as spread spectrum communication, digital ranging, track- 
ing systems, simulation of random processes, computer sequencing and timing 
schemes. For their use in cryptography, such sequences are combined by means 
of nonlinear functions. That is the case of combinational generators, nonlinear 
filters, clock-controlled generators and irregularly decimated generators. All of 
them produce pseudo-random noise sequences with high linear complexity, long 
period and good statistical properties (see [8] and [9]). 

Cellular Automata (CA) are discrete structures with dynamical behaviour 
extensively studied and applied in modelling systems in physics, chemistry, bi- 
ology, computer science and other disciplines. It has been proved [10] that one- 
dimensional linear CA generate exactly the same pseudo-random noise sequences 
as those of LFSRs. Regarding more complex generators, this work shows that 
certain CA generate exactly the same pseudo-random noise sequences as those 
of nonlinear generators based on LFSRs. Linearity in cipher's behavior, say 
the cryptanalysts, is the end of a cipher. It essentially means that information 
is leaked from the plaintext to the ciphertext. In particular, this letter proves 
how a well known class of LFSR-based nonlinear generators, the shrinking gen- 
erators, can be modelled in terms of linear CA. According to the cryptanalytic 
statement, this class of cryptographic generators has been broken. 

This contribution proposes the use of difference equations and cellular au- 
tomata to predict the dynamic behavior of certain nonlinear noise sequences. 
The predictability of such sequences is carried out through the linearization of 
their generator. Furthermore, that linearization process seems to be applicable 
for more general noise sequence generators such as those based on quantum 
physics and chaotic processes. 

2 The class of shrinking generators 

A shrinking generator is a nonlinear binary sequence generator composed by two 
LFSRs (see [11]): a control register notated Ri that decimates the sequence 
produced by the other register notated i?2- Let Lj G N; {j — 1,2) be their 
corresponding lengths with (Li,L2) = 1 and let Pj{x) G GF{2)[x] {j = 1,2) 
be their corresponding characteristic polynomials of degree Lj. In practical 
applications, such polynomials are primitive in order to generate PN-sequences 
of maximum length. Henceforth, {ui} and {bi} {i > 0) a^, bi E GF{2) denote the 



binary sequences generated by i?i and i?2, respectively. The output sequence 
of the generator (the shrunken sequence) is denoted by {cj} (j > 0) with Cj S 
GF{2). The sequence produced by Ri determines what elements of the sequence 
produced by R2 are included in the shrunken sequence. The decimation rule is: 

1 . If fli = 1 =^ Cj = bi 

2. If fli = =^ bi is discarded. 

A simple example illustrates the behavior of this structure. 
Example 1: Let us consider the following LFSRs: 

1. i?i of length Li ~ 3, characteristic polynomial Pi{x) = 1 + x'^ + x^ 
and initial state ISi — (1,0,0). The PN-sequence generated by i?i is 
{1, 0, 0, 1, 1, 1, 0} with period Ti = 2^^ - 1 = 7. 

2. i?2 of length L2 ~ 4, characteristic polynomial P2{x) = 1 + x + x^ 
and initial state IS2 = (1,0,0,0). The PN-sequence generated by i?2 
is {1,0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1} with period T2 = 2^^ - 1 = 15. 

The output sequence {cj} is given by: 

• {aj ^1001110100111010011101 

• {bi} -^ 1000100110101111000100 

• {cj} ^1010110110010 

According to the decimation rule, the underlined bits or j_ in {bi} are 
discarded. Thus, the sequence produced by the shrinking generator is a deci- 
mation of {bi} governed by the bits of {ui}. According to [11], the period of the 
shrunken sequence is T = (2^^ — l)2(^i~^) and its linear complexity, notated 
LC, satisfies the following inequality 

122'-^'-^^ < LC < L22'-^'-^K (1) 

In addition, the shrunken sequence is balanced and has good distributional 
statistics. Therefore, this scheme is suitable for practical implementation of 
stream cipher cryptosystcms and pattern generators. 

3 Linear multiplicative polynomial CA 

CA arc particular forms of finite state machines defined as uniform arrays of 
identical cells in an n-dimcnsional space (see [12]). The cells change their states 
(contents) synchronously at discrete time instants. The next state of each cell 
depends on the current states of the neighbor cells according to its transition 



rule. If the transition rules are all linear, so will be the automaton under 
consideration. In this letter, we will deal with a particular kind of binary CA, the 
so-called linear multiplicative polynomial cellular automata. They are discrete 
dynamical systems characterized by: 

1. Their underlying topology is one-dimensional, that is they can be repre- 
sented by a succession of L cells where L is an integer that denotes the 
length of the automaton. The state of the i-th cell at instant n, notatcd 
xf , takes values in a finite field xf e GF{2). 

2. They are linear cellular automata as the transition rule for each cell is a 
linear mapping $j : GF{2)^ ^- GF{2) where 

<+i=$,(a:r_„...,xr,...,xr+,) (* = l,...,i) (2) 

k = 2q + 1 being the size of the neighborhood. 

3. Each one of these cellular automata is uniquely represented by an L x L 
transition matrix M over GF(2). The characteristic polynomial of such 
matrices is of the form 

PMix) = {P{x)f (3) 

r 

where P{x) =^ x^ +Y1 Cj x^^^ denotes a irreducible (primitive) polynomial 

of degree r over GF{2) and p an integer such that L ^ p ■ r. 

This letter is concentrated on one-dimensional binary linear CA with neigh- 
borhood size k ~ 3 and particular transition rules defined as follows: 

Rule 90 Rule 150 

Xj — Xj-l W Xj_(_]^ Xj — Xj_]^WXj WXj_|_]^ 

where the symbol © represents the XOR logic operation. Remark that they are 
linear and very easy transition rules involving just the addition of either two 
bits (rule 90) or three bits (rule 150). 

For a cellular automaton of length L = 10 cells, configuration rules ( 90, 150, 
150, 150, 90, 90, 150, 150, 150, 90 ) and initial state (0, 0, 0, 1, 1, 1, 0, 1, 1, 0), Table 
1 illustrates the behavior of this structure: the formation of its output sequences 
(binary sequences read vertically) and the succession of states (binary config- 
urations of 10 bits read horizontally). In addition, cells with permanent null 
contents are supposed to be adjacent to the array extreme cells. 

The characteristic polynomial P{x) of an arbitrary binary sequence {a„} 
specifies its linear recurrence relationship. This means that the n-th element a„ 
can be written as a linear combination of the previous elements: 

r 

an®'^Ci an~-i = 0, n>r. (4) 



The linear recursion is expressed as a linear difference equation: 

r 

{E' © ^ c, E""-') a„ = 0, n > (5) 



i=l 



where E is the shifting operator that operates on a„, i.e. -Ea„ = a„+i. If the 
characteristic polynomial P{x) is primitive and a one of its roots, then 
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a, a , a , . . . , a (6) 

are the r different roots of such a polynomial as well as primitive elements in 
GF{2'-) (see [13]). 

Now, if the characteristic polynomial of of an arbitrary binary sequence {a„} 
is of the form Pm{x) = {P{x)y as defined in (3), then its roots will be the same 
as those of P{x) but with multiplicity p. The corresponding difference equation 
will be: 

r 

{E'' © ^ c, E^'-'JP a„ = 0, n > (7) 

r—1 p— 1 

and its solutions are of the form «« = X) S (("J ^m) "^^ ": where A„i is an 

arbitrary element in Gi^(2^). Different choices of A,„ will give rise to different 
sequences {a„}. Consequently, all the binary sequences {a„} of characteristic 
polynomial Pm{x) — {P{x))p can be generated by linear multiplicative poly- 
nomial CA as well as all of them are solutions of the linear difference equation 
described in (7). Our analysis focuses on all the possible solutions of this equa- 
tion. 



4 Realization of linear multiplicative polynomial 
CA 

In the previous section, algebraic properties of the sequences obtained from 
multiplicative polynomial CA have been considered. Now the particular form 
of these automata is analyzed. 

A natural way of representation for this type of 90/150 linear CA is a binary 
L-tuple A — {di,d2, ■■■,dL) where di = if the i-th cell verifies rule 90 while 
di — 1 ii the i-th cell verifies rule 150. The Cattell and Muzio synthesis algo- 
rithm [10] presents a method of computing two 90/150 CA corresponding to a 
given polynomial. Such an algorithm takes as input an irreducible polynomial 
Q{x) and computes two reversal L-tuples corresponding to two different linear 
CA whose output sequences have Q{x) as characteristic polynomial. The total 
number of operations required for this algorithm is linear in the degree of the 
polynomial and is listed in [10] (Table II, page 334). The method is efficient for 



all practical applications (e.g. in 1996 finding a pair of length 300 CA took 16 
CPU seconds on a SPARC 10 workstation). For cryptographic applications, the 
degree of the primitive polynomial P{x) is L2 ~ 64, so that the consuming time 
is negligible. Finally, a list of one-dimensional linear CA of degree through 500 
can be found in [14]. 

Since the characteristic polynomials we are dealing with are of the form 
Pm{x) = {P{x)Y, it seems quite natural to construct a multiplicative polyno- 
mial cellular automaton by concatenating p times the automaton whose char- 
acteristic polynomial is P{x). The procedure of concatenation is based on the 
following result. 

Lemma 1 . Let A = (di , (i2 , • • • , c?l ) be the representation of an one-dimensional 
binary linear cellular automaton with L cells and characteristic polynomial 
Pl{x) = {x + d\){x + d2)...{x + dh)- The cellular automaton whose charac- 
teristic polynomial is P2l{x) ~ {Pl{x))'^ is represented by: 

A := {di,d2,...,dL,dL,...,d2,di) (8) 

where the overline symbol represents bit complementation. 
Proof. The result follows from the fact that: 

Pj^{x) ^ Pl{x) + Pl-i{x) 

where Pj^{x) is the polynomial corresponding to A = ((ii,(i2, .-., c^l)- In the 
same way 

Pl+i{^) = {x + dL)P-j;{x) + Pl{x) 

Pl+2{x) = {x + dL-l)PL+l{x) + Pj^{x) 



P2l{x) = {x + di)P2L-l{x) + P2L-2{x). 

Thus, by successive substitutions of the previous polynomial into the next one 
we get: 

P2l{x) - (x + di)P2L-l{x) + P2L-2{x) = (PL{x)f- (9) 

D 
The result can be iterated for successive exponents. In this way, the con- 
catenation of an automaton and its mirror image allows us to realize linear 
multiplicative polynomial CA. The complementation is due to the fact that rule 
90 (150) at the end of the array is equivalent to two consecutive rules 150 (90) 
with identical sequences. 



5 Shrunken sequences as solutions of linear equa- 
tions: a simple linearization procedure 

Now the result that relates the shrunken sequences from shrinking generators 
with the sequences obtained from linear multiplicative polynomial cellular au- 
tomata is introduced. 

Theorem 1. The characteristic polynomial of the output sequence of a 
shrinking generator with parameters Lj G N and Pj{x) G GF{2)[x] {j = 1,2) 
defined as in section (2) is of the form Pm{x) — {P{x))f, where P{x) G GF{2)[x] 
is a i2-degree polynomial and p is an integer satisfying the inequality 2*^^^"^' < 
p<2(ii-i). 

Proof. The shrunken sequence can be written as a sequence made out of 
an unique P^-sequence starting at different points and repeated 2^^'^~^' times. 
Such a sequence is obtained from {bi} taking elements separated a distance 
2^1 - 1, that is the period of the sequence {aj. As (2^^ - 1, 2^^ - 1) = 1 due to 
the primality of ^2 and i i , the result of the decimation of { 6^ } is a fA^-sequence 
whose characteristic polynomial P{x) of degree L2 is the characteristic polyno- 
mial of the cyclotomic coset 2^^ — 1, that is P{x) = {x + a^){x + a^^) . . . {x + 
Q,2 1 N-^ being N an integer given by iV = 2° -I- 2^ -I- ... -I- 2^^~^. Moreover, the 
number of times that this PA'^-sequence is repeated coincides with the number 
of I's in {ui} since each 1 of {0^} provides the shrunken sequence with 2^2 — 1 
elements of {bi}. Consequently, the characteristic polynomial of the shrunken 
sequence will be P{xY with p < 2(^1 ~^). The lower limit follows immediately 
from equation (3) and the definition of linear complexity of a sequence as the 
shortest linear recurrence relationship. □ 

According to its characteristic polynomial, the output sequence of a shrink- 
ing generator is a particular solution of a linear difference equation as well as it 
can be generated by linear multiplicative polynomial CA. Now, the construction 
of such linear models from the shrinking generator parameters is carried out by 
the following algorithm: 
Linearization algorithm 

Input: A shrinking generator characterized by two LFSRs, i?i and i?2, with 
their corresponding lengths, Li and L2, and the characteristic polynomial ^2(2;) 
of the register R2 . 

Step 1 From Li and P2{x), compute the polynomial P{x) as 

P{x) = {x + a^)(x + a^^) . . . (x + a^"^"^) 

with iV = 2° + 2^ + . . . + 2^1-1. 

Step 2 From P{x), apply the Cattell and Muzio synthesis algorithm to deter- 
mine two linear 90/150 CA, notated Si, whose characteristic polynomial 
is P{x). 



Step 3 For each Si separately, proceed: 

3.1 Complement its least significant bit. The resulting binary string is 
notated Si. 

3.2 Compute the mirror image of Si, notated S*, and concatenate both 
strings 

Oi — Oi ^ iJi . 

3.3 Apply steps 3.1 and 3.2 to each S'^ recursively Li — 1 times. 

Output: Two binary strings of length L ~ L2 ■ 2^^^^ codifying two CA 
corresponding to the given shrinking generator. 

Remark!. In this algorithm the characteristic polynomial of the register i?i 
is not needed. Thus, all the shrinking generators with the same R2 but different 
registers i?i (all of them with the same length Li) can be modelled by the same 
pair of one-dimensional linear CA. 

Remark2. It can be noticed that the computation of both CA is proportional 
to Li concatenations. Consequently, the algorithm can be applied to shrinking 
generators in a range of practical application. 

Remarks. In contrast to the nonlinearity of the shrinking generator, the 
CA-based models that generate the shrunken sequence are linear. 

In order to illustrate the previous steps a numerical example is presented. 
Example 2: 

Input: A shrinking generator characterized by two LFSRs: Ri of length 
Li ~ 3, i?2 of length L2 = 5 and characteristic polynomial P2{x) = 1 + x + x^ + 

Step 1 P{x) is the characteristic polynomial of the cyclotomic coset N ~ 7. 
Thus, 

P{x) = l + x^ +x^ . 

Step 2 From P{x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P{x) can be 
determined. Such CA are written in binary format as: 

1111 
11110 

Step 3: Computation of the required pair of CA by successive concatenations. 
For the first automaton: 

1111 

1110 1110 

01110011111111001110 

(final automaton) 



For the second automaton: 

11110 

1111111111 

1111111110 111111111 
{final automaton) 

For each automaton, the procedure of concatenation has been carried out 
Li — 1 times. 

Output: Two binary strings of length L = L2 ■ 2*^^^^^-' = 20 codifying the 
required pair of CA. 

In this way, we have obtained a pair of linear CA: 

(90,150,150,150,90,90,150,150,150,150,150,150,150,150,90,90,150,150,150,90) 
(150,150,150,150,150,150,150,150,150,90,90,150,150,150,150,150,150,150,150,150) 
both of them able to generate the shrunken sequence corresponding to the given 
shrinking generator. Consequently, the shrinking generator can be expressed in 
terms of a lineal model based on CA. 

6 Conclusions 

The pseudo-random noise sequence produced by a shrinking generator is a par- 
ticular solution of a linear difference equation and can be generated by linear 
multiplicative polynomial cellular automata. In this way, cryptographic gener- 
ators conceived and designed as nonlinear generators can be linearized in terms 
of cellular automata, which implies that such cryptographic generators have 
been broken. The used linearization algorithm is simple and might be applied 
to more general sequence generators such as those based on quantum physics 
and chaotic processes. 

Acknowledgements 

This work has been supported by Ministcrio de Educacion y Ciencia (Spain), 
Projects SEG2004-02418 and SEG2004-04352-C04-03. 

References 

[1] GSM, Global Systems for Mobile Communications, available at 
http://cryptome.org/gsm-a512.htm 

[2] Wi-Fi Alliance, RC4 Encryption Algorithm, available at 
http://www.wifialliance.com 

[3] Bluetooth, Specifications of the Bluetooth system,, available at 
http://www.bluctooth.com/ 



[4] M.S. Baptista, Phys. Lett. A 240 (1998) 50. 

[5] C.Y. Chee, D. Xu, Phys. Lett. A 348 (2006) 284. 

[6] W. Yu, J. Cao, Phys. Lett. A 356 (2006) 333. 

[7] S.W. Golonib, Shift Register- Sequences, Aegean Park Press, Laguna Hill, 
1982. 

[8] A. Fiister-Sabater, Applied Mathematics Letters, 17 (12) (2004) 1427. 

[9] P. Caballero-Gil, A. Fiister-Sabater, Information Sciences, 164 (4) (2004) 
197. 

[10] K. CatteU et ai, IEEE Trans. Computers-Aided Design, 15 (3) (1996) 325. 

[11] D. Coppersmith, H. Krawczyk and Y. Mansour, LNCS Springer Verlag, 
773 (1994) 22. 

[12] J. Kari, Theoretical Computer Science, 334 (2005) 3. 

[13] R. Lidl, H. Niederreiter, Introduction to Finite Fields and Their Applica- 
tions, Cambridge University Press, 1986. 

[14] K. CatteU, Z. Shujian, J. of Electronic Testing, 6 (1995) 255. 



Table 1: An one-dimensional linear cellular automaton of 10 cells with rules 
90/150 starting at a given initial state. The period of these sequences is T = 62 
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